Jamie Thingelstad's personal website

Potential changes to cookies in Chrome. – Google Groups (
Cookies are a bit of a rough edge on the web’s security model. They don’t respect the same origin policy, and the disconnect between their persistence model and that of the rest of the platform causes no end of teeth-gnashing and hair-pulling among developers and auditors alike. We’re planning a few changes to bring things into something more closely resembling alignment.
Building for HTTP/2 (
This is everything-you-thought-you-knew-is-wrong kind of stuff. In an HTTP/2 world, there are few benefits to concatenating a bunch of JS files together, and in many cases the practice will be actively harmful. Domain sharding becomes an anti-pattern. Throwing a bunch of <script> tags in your HTML is suddenly not a laughably terrible idea. Inlining of resources is a thing of the past. Browser caching — and cache busting — can occur on a per-module basis.

MediaWiki 1.26 – MediaWiki (
MediaWiki 1.26 now released.
Perl 6 Introduction (
This document is intended to give you a quick overview of the Perl 6 programming language.
Tools, Culture and Aesthetics – The Art of DevOps – JAXenter (
“Culture is not important, but shared aesthetic is crucial” is the formula that J. Paul Reed follows for finding out what DevOps means to companies of all shapes and sizes. In his DevOpsCon 2015 Keynote in Munich, he hones in on what exactly that formula entails.
Moving Fast with Software Verification | the morning paper (
How do you mesh formal verification “proponents of which sometimes even used to argue that programs should be developed only after a prior specifications had been written down,” with a continuous delivery model? This strikes me as very similar to the problem of integrating security into a continuous delivery pipeline too. On the web, Facebook pushes new changes to code twice a day – but mobile platforms are now even more important than the web. With the mobile platforms (iOS and Android), you can’t just push new features and bug fixes the minute they are ready – Facebook can only distribute a new version to the Apple App Store or Google Play but the user controls if/when they update.
Software Developers’ Growing Elitism Problem (
Some, however, mistake difficulty or inaccessibility for rigor. They assume that just because something was hard when they did it that it should always be hard. I remember being laughed at when I told more experienced colleagues in 2004 that the only programming language I knew was JavaScript. I wasn’t a “real” programmer yet, according to them, because I hadn’t learned how to write assembly code.
Samsung’s Smartcam HD Plus is like a Nest Cam that’s not shackled to the cloud (
When you think “Samsung,” you think of smartphones, TVs, and maybe smart kitchen appliances if you’re a foodie. However, it’s not the first company to come to mind when you think “home security.”
Superforecasting – Wikipedia, the free encyclopedia (
A number of people participated in an IARPA tournament that encouraged forecasters to update forecasts in real time. The top performers on the 2,800 tournament were categorized as superforecasters based on their Brier score. The collective Brier score of superforecasters was 0.25, compared with a score of 0.37 for other forecasters. Some discussed superforecasters included Doug Lorch, Bill Flack, and Sanford Sillman (an atmospheric scientist). Superforecasters even “performed” 30 percent better than the average for intelligence community analysts who could read secret data.
Good Judgment Project (
Your path to better decisions starts here.
The Good Judgment Project – Wikipedia, the free encyclopedia (
The Good Judgment Project (GJP) is a project “harnessing the wisdom of the crowd to forecast world events”. It was co-created by Philip E. Tetlock (author of Superforecasting and of Expert Political Judgment: How Good Is It? How Can We Know?), decision scientist Barbara Mellers, and Don Moore.
How to destroy an American family (
The Straters’ lives have been devastated by relentless cyberattacks. And there’s nothing they can do about it.
building a culture of innovation (
Atlassian is built on the bright ideas and efforts of our team because we’d grow stagnant as a company if we relied only on the ideas of a select and blessed few. Indeed, our long-term survival depends on our ability to continuously improve through change.
Mob Programming, and the importance of fun at work (
It’s been a few weeks since SoCraTes UK 2014, and I’ve had some time to reflect on the event and my learning experiences. Today, I want to talk about the biggest things that stood out for me.
inessential: Blogs by Women: the OPML File (
In Blogs by Women I presented a list of blogs of interest to Mac and iOS developers, designers, and power users that are written by women. Today I created an OPML file
Did Carnegie Mellon Attack Tor for the FBI? – Schneier on Security (
The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to deanonymize a large number of hidden service visitors and provide the information to the FBI.
The Keys To Enya’s Kingdom (
Over the course of three decades and with 80 million records sold, Enya has morphed into more than musician: She’s her own adjective. What makes her music — and the mysterious woman behind it — appealing to so many? Anne Helen Petersen visits the reclusive singer in Ireland.
s2n and Lucky 13 (
Great security research combines extremely high levels of creativity, paranoia, and attention to detail. All of these qualities are in evidence in two new research papers about how s2n, our Open Source implementation of the SSL/TLS protocols, handles the Lucky 13 attack from 2013.
Iceland’s Blue Lagoon with Kids: Good, Bad and Naked (
We knew this was going to be unlike any country we’ve visited so far. We were in Iceland two weeks ago during a four-day stopover on our way to the Scandinavia region. There is so much to amazing Iceland that I can’t wait to write about it and share.
Charles Babbage, perfectionist engineer (
I recently finished Sydney Padua’s entertaining and educational The Thrilling Adventures of Lovelace and Babbage. Several of the stories are available online, but the book is well put together (not to mention much easier to read than the web version) and includes a bunch of integrated source materials and illustrated footnotes.

Disney World 2015

The Martian

Great movie. Very entertaining. As usual, book was better and the movie cut out a lot of stuff but still highly recommend. 

Open Source North 2015

OSNThis weekend I was able to join what I expect will be the 1st annual Open Source North conference. I gave a talk on Using Open Source to Transform Your Organization. I wasn’t able to stay for the entire day but the event was very well run, good lineup of speakers and very good attendance as well.

I’m hoping they plan to organize this again next year, I can definitely see this growing into a substantial event.

Journaling Habit

For years I’ve thought it would be great to keep a daily journal. I bought Day One for iOS and my Mac. But I’ve never been consistent. About a month ago I changed tacts. Hit 13 days in a row so far. 

S’mores Selfie (Oct 2015)

Family (Sept 2015)

Having fun at the Renaissance Festival!

Lunar Eclipse 2015

We had a fun night in our neighborhood tonight watching the lunar eclipse with a number of our neighbors. I got out the 70-200/f2.8L and put the 2x doubler on it to see what I could capture on my camera. Really brings the red out.

Namecheap Leaks Password in Security Notification

Please make sure to see UPDATE section at end of this post.

This isn’t good at all. I have security notification alerts enabled in Namecheap because I want to know when something is changed related to my domains, just to make sure I’m always the one that initiated it. Today I changed my password and got this:

Activity Notification
Dear Jamie Thingelstad,

There was some activity in your namecheap account. Information on what
type of change occurred is available below.

Notification For     : PASSWORD
Date                 : 9/27/2015 4:15:28 PM  
IP Address           :
Username             : my-username
Domain (if relevant) : N/A

Old Details

New Details
Additional Information



If you no longer wish to receive notifications, you can login to your
Namecheap account and disable notifications in the Modify Profile >
Security Settings page. If you have any questions, please contact us.

I’ve replaced the passwords that were in the email because they were my passwords, sent in plaintext, in email. This is pretty much terrible.

  1. Of course email isn’t encrypted so now anyone that has sniffed that email knows my password, and my username is handily referenced as well (I changed it as well in this copy).
  2. This is evidence that Namecheap is storing my password in plaintext somewhere. They should only be storing the hash of it using something smart to protect it. Double bad!

The only good news is I have the optional two-factor authentication enabled that uses an SMS message to my phone so I at least have that to fall back on but this is a terrible security practice that I’m shocked Namecheap is doing.

Please fix this immediately!

PS: After fixing this, can we get a real two-factor solution instead of SMS?

UPDATE (Sept 28):

Within minutes of sharing this post on Twitter I got a response from @Namecheap.

and 17 minutes after that they confirmed that they fixed this.

Given how fast they fixed it I have to assume that what they fixed was issue #1, that they are suppressing the email notification for “PASSWORD” events. That is good and will keep the password from leaking into email, however I would really like to know if they are storing passwords in plaintext somewhere. It should be impossible for a service to tell you what your password is, they should only know some form of a hash derived from your password.

First day of Kindergarten

Tyler finished his first day of kindergarten! He, Tammy and I all made it through just fine. He had a great day and got lucky to have a ton of his friends in his class. Feels a little weird having both kids in school now.

« Older posts

© 2015 thingelstad

Theme by Anders NorenUp ↑